bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e

Analysis

max time kernel
111s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe
Size

40KB
MD5

6d6335306100dc9af0afd5891c64c184
SHA1

643ac1c46a3defd2fc393483ec1a6a87cf375949
SHA256

bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e
SHA512

e7ca027ec3b0b3da3bad9a0ee3df78a9ce645cc8efa4e5cd794e81499b7b3893e475903398651be675f7f620f4923edd60016cc77d567b0520ddeb13b4c0d06e
SSDEEP

768:eI5TKX1DhH1Iqk9Mv3BDSmzq38roaF+FcE5omipA2i5:eI5TKRhPkCvJSmU8roaF+FcE2/8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3724	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4104	2348	bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe	88
PID 2348 wrote to memory of 4104	2348	bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe	88
PID 2348 wrote to memory of 4104	2348	bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe	88
PID 4104 wrote to memory of 3724	4104	cmd.exe	90
PID 4104 wrote to memory of 3724	4104	cmd.exe	90
PID 4104 wrote to memory of 3724	4104	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe
"C:\Users\Admin\AppData\Local\Temp\bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping -n 10 127.0.0.1 > NUL && del "C:\Users\Admin\AppData\Local\Temp\bae078193ba160298102c2cd5c1a46dc3782a486721ca8ca4e8dd3d67d85418e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-133-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2348-132-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2348-134-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2348-135-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2348-136-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/2348-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3724-139-0x0000000000000000-mapping.dmp

Download
memory/4104-137-0x0000000000000000-mapping.dmp

Download